Opinion: Why political campaigns need chief information security officers
The Democratic and Republican parties – and their presidential candidates – should immediately put someone in charge of safeguarding their data. It's for the good of voter privacy and American democracy.
After the Democratic National Committee hack and data dump, let's hope that 2016 becomes the year political campaigns begin taking cybersecurity seriously.
The DNC announced last week that it created a four-person cybersecurity advisory board to help victims mitigate the potential impact of the breach. But that's not good enough. Both the Democratic and Republican parties – as well as the Hillary Clinton and Donald Trump campaigns – should hire chief information security officers (CISO) as soon as possible.
That's not a cure-all by any means. But putting someone in charge of safeguarding their vast collections of sensitive data – whether on political strategies, the candidates themselves, or voters – would vastly improve their defenses against cybercriminals and the prying eyes of foreign intelligence operatives.
If the nation's politicians and political campaigns don't improve their cyberdefenses soon, not only will American's personal data be at greater risk but the entire democratic process could be compromised.
In recent months, the DNC breach has shaken the members and machinery of a major US party, attackers have unleashed cyberattacks on Mr. Trump's website, and alleged Russian hackers have penetrated the email accounts of major political operatives. All of this has potentially given our adversaries a "near-encyclopedic understanding" of our policymakers.
It's not enough to just exclaim that campaigns need better cybersecurity. A CISO could help the campaigns hammer home these points:
Voter privacy matters
Whether voters know it or not, political campaigns view their personal information as an asset, no differently than retailers or developers behind the latest addictive mobile apps.
With a CISO's voice in the room, campaigns could better protect this information from unauthorized disclosure and possibly avoid "business" decisions where voter data is monetized in a way that risks blowback and the optics of a candidate being weak on data protection.
Consider the revelation that Rick Santorum’s campaign, for example, sold its donor list to a survivalist vendor looking to court "doomsday preppers."
It’s for confidence in elections
The saga of hanging paper chads was infamous in 2000 – but that will pale in comparison to suspicions that US history and policy were forever altered by a foreign or other power deliberately manipulating voters and parties with targeted data breaches.
Our elections are our country’s business – no one else’s – and getting CISOs on the roster of all campaigns should be a top nonpartisan priority. These professionals could even go a step further to regularly share intelligence on breach attempts and other malicious activity, to further deter tampering and demonstrate that all parties are united on this issue.
It’s about national security
In the 1950s, there was paranoia that Soviet agents were quietly injecting pro-communist influences in the bedrock of US politics and interest groups, like organized labor and Hollywood. Today, we know the Red Scare was exaggerated, alarmist and distracting from more authentic threats.
Now, we risk unchecked political hacking pushing us back into a similarly distracting scare era, because cybersecurity weaknesses give adversaries unprecedented ability to siphon invaluable data from across the political spectrum – information that can be used for profiling, blackmail, and probably worse as attackers correlate individuals' entire digital lives to recruit agents or better inform attacks.
Generations ago we worried about communists hiding behind every tree. Now, concern over foreign malware in every candidate’s laptop is shaking confidence in our national security and the integrity of our election process.
Voters, donors, and the media need to keep up the pressure on candidates to work harder to prevent cyberattacks. After all, whoever gets elected will face immense challenges in updating policies to protect our nation's computer networks and systems – including those that operate our nuclear power plants, electrical grids, dams, and other critical infrastructure.
By hiring CISOs, they’d demonstrate the right kind of foresight that could win over many voters in November – and keep us all more secure in the meantime.
Bob Hansmann is director of security technologies at Forcepoint (@Forcepointsec) in Austin, Texas. For more than 30 years, he has been responsible for monitoring security trends including new types of malware, social-engineering techniques and the risks of emerging technologies.